Hi Steve, Norton, for instance, checks data headers, file names, checks for particular functions, etc...It checks for signatures.
Along with that, it has a technology called Bloodhound which stands for its heuristics analysis. It works with another technology called Striker. These two technologies work creating a 'virtual computer' so the file can run normally prior to interact with the user or the 'real' environment. Maybe this file doesn't have any known signatures but, running in bloodhound, Norton can notice particularly weird behaviours, like mbr access, file attribute change, vb scripts running abnormal functions, etc. Then it gives this file a stamp telling you that it's is a virus activity and then puts it on quarentine. This technology is really mature now and it's not likely to see false positives. You can go to symantec's web site and search for bloodhound. They have a neat whitepaper explaining technically all the aspects of their antivirus technologies including scanning functions. all the best, Fatfinger ----- Original Message ----- From: "Steve" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, January 31, 2002 12:17 AM Subject: Virus Scanners > Hi all, > > My question for today is How Do Virus Scanners work ? I mean the really > excellent scanners like Sophos and Norton, amongst others. > > I mean, they do check for signatures of a Virus identity ? But what method ? > I can think of a few possibilities to make my question clearer .... > > 1. Scan for size of file, or header of file, or structure of file (probably > not) > 2. Scan for include files and include library, and procedures ? > 3. Scan for the sequence at which a file executes, for eg, getting > addresses, then open socket, connect to SMTP ? > 4. Scan for standard declared texts ? eg. Subject db "Credit Card details",0 > > Question begs to be asked, if updated Virus identities files are 'modified', > can it become a threat to the Virus programs, since they mostly run with > SYSTEM privileges ? How is this prevented ? > > Thanks in advance, I am very curious. > > regards > > Steve > > > note : One of our readers have a virus, it was sent to those who responded > to the WAN/LAN Remote Management thread. I dont know who it is as the return > path is altered, it had a ".mp3.pif" extension with no malicious payload. > > > >